11 files changed, 761 insertions, 345 deletions
diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
index b9cc24a7ac..6f23490c87 100644
--- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
+++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh
@@ -1 +1,5 @@
 export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf"
+export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs"
+export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt"
+export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/"
+export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3"
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
new file mode 100644
index 0000000000..aa2e5bb800
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch
@@ -0,0 +1,374 @@
+From 5ba65051fea0513db0d997f0ab7cafb9826ed74a Mon Sep 17 00:00:00 2001
+From: William Lyu <William.Lyu@windriver.com>
+Date: Fri, 20 Oct 2023 16:22:37 -0400
+Subject: [PATCH] Added handshake history reporting when test fails
+Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481]
+Signed-off-by: William Lyu <William.Lyu@windriver.com>
+---
+ test/helpers/handshake.c | 139 +++++++++++++++++++++++++++++----------
+ test/helpers/handshake.h |  70 +++++++++++++++++++-
+ test/ssl_test.c          |  44 +++++++++++++
+ 3 files changed, 218 insertions(+), 35 deletions(-)
+diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
+index e0422469e4..ae2ad59dd4 100644
+--- a/test/helpers/handshake.c
+++ b/test/helpers/handshake.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -24,6 +24,102 @@
+ #include <netinet/sctp.h>
+ #endif
+/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
+/* Maps string names to various enumeration type */
+typedef struct {
+    const char *name;
+    int value;
+} enum_name_map;
+
+static const enum_name_map connect_phase_names[] = {
+    {"Handshake", HANDSHAKE},
+    {"RenegAppData", RENEG_APPLICATION_DATA},
+    {"RenegSetup", RENEG_SETUP},
+    {"RenegHandshake", RENEG_HANDSHAKE},
+    {"AppData", APPLICATION_DATA},
+    {"Shutdown", SHUTDOWN},
+    {"ConnectionDone", CONNECTION_DONE}
+};
+
+static const enum_name_map peer_status_names[] = {
+    {"PeerSuccess", PEER_SUCCESS},
+    {"PeerRetry", PEER_RETRY},
+    {"PeerError", PEER_ERROR},
+    {"PeerWaiting", PEER_WAITING},
+    {"PeerTestFail", PEER_TEST_FAILURE}
+};
+
+static const enum_name_map handshake_status_names[] = {
+    {"HandshakeSuccess", HANDSHAKE_SUCCESS},
+    {"ClientError", CLIENT_ERROR},
+    {"ServerError", SERVER_ERROR},
+    {"InternalError", INTERNAL_ERROR},
+    {"HandshakeRetry", HANDSHAKE_RETRY}
+};
+
+/* Shamelessly copied from test/helpers/ssl_test_ctx.c */
+static const char *enum_name(const enum_name_map *enums, size_t num_enums,
+                             int value)
+{
+    size_t i;
+    for (i = 0; i < num_enums; i++) {
+        if (enums[i].value == value) {
+            return enums[i].name;
+        }
+    }
+    return "InvalidValue";
+}
+
+const char *handshake_connect_phase_name(connect_phase_t phase)
+{
+    return enum_name(connect_phase_names, OSSL_NELEM(connect_phase_names),
+                     (int)phase);
+}
+
+const char *handshake_status_name(handshake_status_t handshake_status)
+{
+    return enum_name(handshake_status_names, OSSL_NELEM(handshake_status_names),
+                     (int)handshake_status);
+}
+
+const char *handshake_peer_status_name(peer_status_t peer_status)
+{
+    return enum_name(peer_status_names, OSSL_NELEM(peer_status_names),
+                     (int)peer_status);
+}
+
+static void save_loop_history(HANDSHAKE_HISTORY *history,
+                              connect_phase_t phase,
+                              handshake_status_t handshake_status,
+                              peer_status_t server_status,
+                              peer_status_t client_status,
+                              int client_turn_count,
+                              int is_client_turn)
+{
+    HANDSHAKE_HISTORY_ENTRY *new_entry = NULL;
+
+    /*
+     * Create a new history entry for a handshake loop with statuses given in
+     * the arguments. Potentially evicting the oldest entry when the
+     * ring buffer is full.
+     */
+    ++(history->last_idx);
+    history->last_idx &= MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
+
+    new_entry = &((history->entries)[history->last_idx]);
+    new_entry->phase = phase;
+    new_entry->handshake_status = handshake_status;
+    new_entry->server_status = server_status;
+    new_entry->client_status = client_status;
+    new_entry->client_turn_count = client_turn_count;
+    new_entry->is_client_turn = is_client_turn;
+
+    /* Evict the oldest handshake loop entry when the ring buffer is full. */
+    if (history->entry_count < MAX_HANDSHAKE_HISTORY_ENTRY) {
+        ++(history->entry_count);
+    }
+}
+
+ HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void)
+ {
+     HANDSHAKE_RESULT *ret;
+@@ -719,15 +815,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client,
+         SSL_set_post_handshake_auth(client, 1);
+ }
+-/* The status for each connection phase. */
+-typedef enum {
+-    PEER_SUCCESS,
+-    PEER_RETRY,
+-    PEER_ERROR,
+-    PEER_WAITING,
+-    PEER_TEST_FAILURE
+-} peer_status_t;
+-
+ /* An SSL object and associated read-write buffers. */
+ typedef struct peer_st {
+     SSL *ssl;
+@@ -1074,17 +1161,6 @@ static void do_shutdown_step(PEER *peer)
+     }
+ }
+-typedef enum {
+-    HANDSHAKE,
+-    RENEG_APPLICATION_DATA,
+-    RENEG_SETUP,
+-    RENEG_HANDSHAKE,
+-    APPLICATION_DATA,
+-    SHUTDOWN,
+-    CONNECTION_DONE
+-} connect_phase_t;
+-
+-
+ static int renegotiate_op(const SSL_TEST_CTX *test_ctx)
+ {
+     switch (test_ctx->handshake_mode) {
+@@ -1162,19 +1238,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer,
+     }
+ }
+-typedef enum {
+-    /* Both parties succeeded. */
+-    HANDSHAKE_SUCCESS,
+-    /* Client errored. */
+-    CLIENT_ERROR,
+-    /* Server errored. */
+-    SERVER_ERROR,
+-    /* Peers are in inconsistent state. */
+-    INTERNAL_ERROR,
+-    /* One or both peers not done. */
+-    HANDSHAKE_RETRY
+-} handshake_status_t;
+-
+ /*
+  * Determine the handshake outcome.
+  * last_status: the status of the peer to have acted last.
+@@ -1539,6 +1602,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+     start = time(NULL);
+    save_loop_history(&(ret->history),
+                      phase, status, server.status, client.status,
+                      client_turn_count, client_turn);
+
+     /*
+      * Half-duplex handshake loop.
+      * Client and server speak to each other synchronously in the same process.
+@@ -1560,6 +1627,10 @@ static HANDSHAKE_RESULT *do_handshake_internal(
+                                       0 /* server went last */);
+         }
+        save_loop_history(&(ret->history),
+                          phase, status, server.status, client.status,
+                          client_turn_count, client_turn);
+
+         switch (status) {
+         case HANDSHAKE_SUCCESS:
+             client_turn_count = 0;
+diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h
+index 78b03f9f4b..b9967c2623 100644
+--- a/test/helpers/handshake.h
+++ b/test/helpers/handshake.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the Apache License 2.0 (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -12,6 +12,11 @@
+ #include "ssl_test_ctx.h"
+#define MAX_HANDSHAKE_HISTORY_ENTRY_BIT 4
+#define MAX_HANDSHAKE_HISTORY_ENTRY (1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT)
+#define MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK \
+    ((1 << MAX_HANDSHAKE_HISTORY_ENTRY_BIT) - 1)
+
+ typedef struct ctx_data_st {
+     unsigned char *npn_protocols;
+     size_t npn_protocols_len;
+@@ -22,6 +27,63 @@ typedef struct ctx_data_st {
+     char *session_ticket_app_data;
+ } CTX_DATA;
+typedef enum {
+    HANDSHAKE,
+    RENEG_APPLICATION_DATA,
+    RENEG_SETUP,
+    RENEG_HANDSHAKE,
+    APPLICATION_DATA,
+    SHUTDOWN,
+    CONNECTION_DONE
+} connect_phase_t;
+
+/* The status for each connection phase. */
+typedef enum {
+    PEER_SUCCESS,
+    PEER_RETRY,
+    PEER_ERROR,
+    PEER_WAITING,
+    PEER_TEST_FAILURE
+} peer_status_t;
+
+typedef enum {
+    /* Both parties succeeded. */
+    HANDSHAKE_SUCCESS,
+    /* Client errored. */
+    CLIENT_ERROR,
+    /* Server errored. */
+    SERVER_ERROR,
+    /* Peers are in inconsistent state. */
+    INTERNAL_ERROR,
+    /* One or both peers not done. */
+    HANDSHAKE_RETRY
+} handshake_status_t;
+
+/* Stores the various status information in a handshake loop. */
+typedef struct handshake_history_entry_st {
+    connect_phase_t phase;
+    handshake_status_t handshake_status;
+    peer_status_t server_status;
+    peer_status_t client_status;
+    int client_turn_count;
+    int is_client_turn;
+} HANDSHAKE_HISTORY_ENTRY;
+
+typedef struct handshake_history_st {
+    /* Implemented using ring buffer. */
+    /*
+     * The valid entries are |entries[last_idx]|, |entries[last_idx-1]|,
+     * ..., etc., going up to |entry_count| number of entries. Note that when
+     * the index into the array |entries| becomes < 0, we wrap around to
+     * the end of |entries|.
+     */
+    HANDSHAKE_HISTORY_ENTRY entries[MAX_HANDSHAKE_HISTORY_ENTRY];
+    /* The number of valid entries in |entries| array. */
+    size_t entry_count;
+    /* The index of the last valid entry in the |entries| array. */
+    size_t last_idx;
+} HANDSHAKE_HISTORY;
+
+ typedef struct handshake_result {
+     ssl_test_result_t result;
+     /* These alerts are in the 2-byte format returned by the info_callback. */
+@@ -77,6 +139,8 @@ typedef struct handshake_result {
+     char *cipher;
+     /* session ticket application data */
+     char *result_session_ticket_app_data;
+    /* handshake loop history */
+    HANDSHAKE_HISTORY history;
+ } HANDSHAKE_RESULT;
+ HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void);
+@@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
+                                     CTX_DATA *server2_ctx_data,
+                                     CTX_DATA *client_ctx_data);
+const char *handshake_connect_phase_name(connect_phase_t phase);
+const char *handshake_status_name(handshake_status_t handshake_status);
+const char *handshake_peer_status_name(peer_status_t peer_status);
+
+ #endif  /* OSSL_TEST_HANDSHAKE_HELPER_H */
+diff --git a/test/ssl_test.c b/test/ssl_test.c
+index ea608518f9..9d6b093c81 100644
+--- a/test/ssl_test.c
+++ b/test/ssl_test.c
+@@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL;
+ /* Currently the section names are of the form test-<number>, e.g. test-15. */
+ #define MAX_TESTCASE_NAME_LENGTH 100
+static void print_handshake_history(const HANDSHAKE_HISTORY *history)
+{
+    size_t first_idx;
+    size_t i;
+    size_t cur_idx;
+    const HANDSHAKE_HISTORY_ENTRY *cur_entry;
+    const char header_template[] = "|%14s|%16s|%16s|%16s|%17s|%14s|";
+    const char body_template[]   = "|%14s|%16s|%16s|%16s|%17d|%14s|";
+
+    TEST_info("The following is the server/client state "
+              "in the most recent %d handshake loops.",
+              MAX_HANDSHAKE_HISTORY_ENTRY);
+
+    TEST_note("=================================================="
+              "==================================================");
+    TEST_note(header_template,
+              "phase", "handshake status", "server status",
+              "client status", "client turn count", "is client turn");
+    TEST_note("+--------------+----------------+----------------"
+              "+----------------+-----------------+--------------+");
+
+    first_idx = (history->last_idx - history->entry_count + 1) &
+                MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
+    for (i = 0; i < history->entry_count; ++i) {
+        cur_idx = (first_idx + i) & MAX_HANDSHAKE_HISTORY_ENTRY_IDX_MASK;
+        cur_entry = &(history->entries)[cur_idx];
+        TEST_note(body_template,
+                  handshake_connect_phase_name(cur_entry->phase),
+                  handshake_status_name(cur_entry->handshake_status),
+                  handshake_peer_status_name(cur_entry->server_status),
+                  handshake_peer_status_name(cur_entry->client_status),
+                  cur_entry->client_turn_count,
+                  cur_entry->is_client_turn ? "true" : "false");
+    }
+    TEST_note("=================================================="
+              "==================================================");
+}
+
+ static const char *print_alert(int alert)
+ {
+     return alert ? SSL_alert_desc_string_long(alert) : "no alert";
+@@ -388,6 +426,12 @@ static int check_test(HANDSHAKE_RESULT *result, SSL_TEST_CTX *test_ctx)
+         ret &= check_client_sign_type(result, test_ctx);
+         ret &= check_client_ca_names(result, test_ctx);
+     }
+
+    /* Print handshake loop history if any check fails. */
+    if (!ret) {
+        print_handshake_history(&(result->history));
+    }
+
+     return ret;
+ }
+--
+2.25.1
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
new file mode 100644
index 0000000000..502a7aaf32
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -0,0 +1,39 @@
+From 0377f0d5b5c1079e3b9a80881f4dcc891cbe9f9a Mon Sep 17 00:00:00 2001
+From: Alexander Kanavin <alex@linutronix.de>
+Date: Tue, 30 May 2023 09:11:27 -0700
+Subject: [PATCH] Configure: do not tweak mips cflags
+This conflicts with mips machine definitons from yocto,
+e.g.
+| Error: -mips3 conflicts with the other architecture options, which imply -mips64r2
+Upstream-Status: Inappropriate [oe-core specific]
+Signed-off-by: Alexander Kanavin <alex@linutronix.de>
+Refreshed for openssl-3.1.1
+Signed-off-by: Tim Orling <tim.orling@konsulko.com>
+---
+ Configure | 10 ----------
+ 1 file changed, 10 deletions(-)
+diff --git a/Configure b/Configure
+index 4569952..adf019b 100755
+--- a/Configure
+++ b/Configure
+@@ -1422,16 +1422,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+         push @{$config{shared_ldflag}}, "-mno-cygwin";
+         }
+ 
+-if ($target =~ /linux.*-mips/ && !$disabled{asm}
+-        && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) {
+-        # minimally required architecture flags for assembly modules
+-        my $value;
+-        $value = '-mips2' if ($target =~ /mips32/);
+-        $value = '-mips3' if ($target =~ /mips64/);
+-        unshift @{$config{cflags}}, $value;
+-        unshift @{$config{cxxflags}}, $value if $config{CXX};
+-}
+-
+ # If threads aren't disabled, check how possible they are
+ unless ($disabled{threads}) {
+     if ($auto_threads) {
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
index 949c788344..bafdbaa46f 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -1,4 +1,4 @@
-From 3e1d00481093e10775eaf69d619c45b32a4aa7dc Mon Sep 17 00:00:00 2001
+From 5985253f2c9025d7c127443a3a9938946f80c2a1 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com>
 Date: Tue, 6 Nov 2018 14:50:47 +0100
 Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler
@@ -21,20 +21,24 @@ https://patchwork.openembedded.org/patch/147229/
 Upstream-Status: Inappropriate [OE specific]
 Signed-off-by: Martin Hundebøll <martin@geanix.com>
 Update to fix buildpaths qa issue for '-fmacro-prefix-map'.
 Signed-off-by: Kai Kang <kai.kang@windriver.com>
+Update to fix buildpaths qa issue for '-ffile-prefix-map'.
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
- Configurations/unix-Makefile.tmpl | 10 +++++++++-
+ Configurations/unix-Makefile.tmpl | 12 +++++++++++-
 crypto/build.info                 |  2 +-
- 2 files changed, 10 insertions(+), 2 deletions(-)
+ 2 files changed, 12 insertions(+), 2 deletions(-)
-diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl
-index 16af4d2087..54c162784c 100644
+===================================================================
--- a/Configurations/unix-Makefile.tmpl
+--- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl
-+++ b/Configurations/unix-Makefile.tmpl
+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl
-@@ -317,13 +317,22 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+@@ -472,13 +472,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lfl
                          '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
 BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
 
@@ -49,6 +53,7 @@ index 16af4d2087..54c162784c 100644
 +CFLAGS_Q={- for (@{$config{CFLAGS}}) {
 +              s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
 +              s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g;
+              s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g;
 +            }
 +            join(' ', @{$config{CFLAGS}}) -}
 +
@@ -58,19 +63,16 @@ index 16af4d2087..54c162784c 100644
 PERLASM_SCHEME= {- $target{perlasm_scheme} -}
 
 # For x86 assembler: Set PROCESSOR to 386 if you want to support
-diff --git a/crypto/build.info b/crypto/build.info
+Index: openssl-3.0.4/crypto/build.info
-index b515b7318e..8c9cee2a09 100644
+===================================================================
--- a/crypto/build.info
+--- openssl-3.0.4.orig/crypto/build.info
-+++ b/crypto/build.info
+++ openssl-3.0.4/crypto/build.info
-@@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
+@@ -109,7 +109,7 @@ DEFINE[../libcrypto]=$UPLINKDEF
-         ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
 
+ DEPEND[info.o]=buildinf.h
 DEPEND[cversion.o]=buildinf.h
 -GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
 +GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)"
- DEPEND[buildinf.h]=../configdata.pm
 
- GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
+ GENERATE[uplink-x86.S]=../ms/uplink-x86.pl
-- 
+ GENERATE[uplink-x86_64.s]=../ms/uplink-x86_64.pl
-2.19.1
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch b/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch
deleted file mode 100644
index d8d9651b64..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/0001-skip-test_symbol_presence.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From a9401b2289656c5a36dd1b0ecebf0d23e291ce70 Mon Sep 17 00:00:00 2001
-From: Hongxu Jia <hongxu.jia@windriver.com>
-Date: Tue, 2 Oct 2018 23:58:24 +0800
-Subject: [PATCH] skip test_symbol_presence
-We cannot skip `01-test_symbol_presence.t' by configuring option `no-shared'
-as INSTALL told us the shared libraries will not be built.
-[INSTALL snip]
- Notes on shared libraries
- -------------------------
- For most systems the OpenSSL Configure script knows what is needed to
- build shared libraries for libcrypto and libssl. On these systems
- the shared libraries will be created by default. This can be suppressed and
- only static libraries created by using the "no-shared" option. On systems
- where OpenSSL does not know how to build shared libraries the "no-shared"
- option will be forced and only static libraries will be created.
-[INSTALL snip]
-Hence directly modification the case to skip it.
-Upstream-Status: Inappropriate [OE Specific]
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
- test/recipes/01-test_symbol_presence.t | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t
-index 7f2a2d7..0b93745 100644
--- a/test/recipes/01-test_symbol_presence.t
-+++ b/test/recipes/01-test_symbol_presence.t
-@@ -14,8 +14,7 @@ use OpenSSL::Test::Utils;
- 
- setup("test_symbol_presence");
- 
-plan skip_all => "Only useful when building shared libraries"
-    if disabled("shared");
-+plan skip_all => "The case needs debug symbols then we just disable it";
- 
- my @libnames = ("crypto", "ssl");
- my $testcount = scalar @libnames;
-- 
-2.7.4
diff --git a/meta/recipes-connectivity/openssl/openssl/afalg.patch b/meta/recipes-connectivity/openssl/openssl/afalg.patch
deleted file mode 100644
index b7c0e9697f..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/afalg.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Don't refuse to build afalgeng if cross-compiling or the host kernel is too old.
-Upstream-Status: Submitted [hhttps://github.com/openssl/openssl/pull/7688]
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-diff --git a/Configure b/Configure
-index 3baa8ce..9ef52ed 100755
--- a/Configure
-+++ b/Configure
-@@ -1550,20 +1550,7 @@ unless ($disabled{"crypto-mdebug-backtrace"})
- unless ($disabled{afalgeng}) {
-     $config{afalgeng}="";
-     if (grep { $_ eq 'afalgeng' } @{$target{enable}}) {
-        my $minver = 4*10000 + 1*100 + 0;
-        if ($config{CROSS_COMPILE} eq "") {
-            my $verstr = `uname -r`;
-            my ($ma, $mi1, $mi2) = split("\\.", $verstr);
-            ($mi2) = $mi2 =~ /(\d+)/;
-            my $ver = $ma*10000 + $mi1*100 + $mi2;
-            if ($ver < $minver) {
-                disable('too-old-kernel', 'afalgeng');
-            } else {
-                push @{$config{engdirs}}, "afalg";
-            }
-        } else {
-            disable('cross-compiling', 'afalgeng');
-        }
-+        push @{$config{engdirs}}, "afalg";
-     } else {
-         disable('not-linux', 'afalgeng');
-     }
diff --git a/meta/recipes-connectivity/openssl/openssl/bti.patch b/meta/recipes-connectivity/openssl/openssl/bti.patch
new file mode 100644
index 0000000000..748576c30c
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/bti.patch
@@ -0,0 +1,58 @@
+From ba8a599395f8b770c76316b5f5b0f3838567014f Mon Sep 17 00:00:00 2001
+From: Tom Cosgrove <tom.cosgrove@arm.com>
+Date: Tue, 26 Mar 2024 13:18:00 +0000
+Subject: [PATCH] aarch64: fix BTI in bsaes assembly code
+In Arm systems where BTI is enabled but the Crypto extensions are not (more
+likely in FVPs than in real hardware), the bit-sliced assembler code will
+be used. However, this wasn't annotated with BTI instructions when BTI was
+enabled, so the moment libssl jumps into this code it (correctly) aborts.
+Solve this by adding the missing BTI landing pads.
+Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/23982]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ crypto/aes/asm/bsaes-armv8.pl | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl
+index b3c97e439f..c3c5ff3e05 100644
+--- a/crypto/aes/asm/bsaes-armv8.pl
+++ b/crypto/aes/asm/bsaes-armv8.pl
+@@ -1018,6 +1018,7 @@ _bsaes_key_convert:
+ //   Initialisation vector overwritten with last quadword of ciphertext
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_cbc_encrypt:
+        AARCH64_VALID_CALL_TARGET
+         cmp     x2, #128
+         bhs     .Lcbc_do_bsaes
+         b       AES_cbc_encrypt
+@@ -1270,7 +1271,7 @@ ossl_bsaes_cbc_encrypt:
+ //   Output text filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_ctr32_encrypt_blocks:
+-
+        AARCH64_VALID_CALL_TARGET
+         cmp     x2, #8                      // use plain AES for
+         blo     .Lctr_enc_short             // small sizes
+ 
+@@ -1476,6 +1477,7 @@ ossl_bsaes_ctr32_encrypt_blocks:
+ //   Output ciphertext filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_xts_encrypt:
+        AARCH64_VALID_CALL_TARGET
+         // Stack layout:
+         // sp ->
+         //        nrounds*128-96 bytes: key schedule
+@@ -1921,6 +1923,7 @@ ossl_bsaes_xts_encrypt:
+ //   Output plaintext filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_xts_decrypt:
+        AARCH64_VALID_CALL_TARGET
+         // Stack layout:
+         // sp ->
+         //        nrounds*128-96 bytes: key schedule
+-- 
+2.34.1
diff --git a/meta/recipes-connectivity/openssl/openssl/reproducible.patch b/meta/recipes-connectivity/openssl/openssl/reproducible.patch
deleted file mode 100644
index a24260c95d..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/reproducible.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-The value for perl_archname can vary depending on the host, e.g. 
-x86_64-linux-gnu-thread-multi or x86_64-linux-thread-multi which
-makes the ptest package non-reproducible. Its unused other than 
-these references so drop it.
-RP 2020/2/6
-Upstream-Status: Pending
-Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-Index: openssl-1.1.1d/Configure
-===================================================================
--- openssl-1.1.1d.orig/Configure
-+++ openssl-1.1.1d/Configure
-@@ -286,7 +286,7 @@ if (defined env($local_config_envname))
- # Save away perl command information
- $config{perl_cmd} = $^X;
- $config{perl_version} = $Config{version};
-$config{perl_archname} = $Config{archname};
-+#$config{perl_archname} = $Config{archname};
- 
- $config{prefix}="";
- $config{openssldir}="";
-@@ -2517,7 +2517,7 @@ _____
-                           @{$config{perlargv}}), "\n";
-         print "\nPerl information:\n\n";
-         print '    ',$config{perl_cmd},"\n";
-        print '    ',$config{perl_version},' for ',$config{perl_archname},"\n";
-+        print '    ',$config{perl_version},"\n";
-     }
-     if ($dump || $options) {
-         my $longest = 0;
diff --git a/meta/recipes-connectivity/openssl/openssl/run-ptest b/meta/recipes-connectivity/openssl/openssl/run-ptest
index 3fb22471f8..c89ec5afa1 100644
--- a/meta/recipes-connectivity/openssl/openssl/run-ptest
+++ b/meta/recipes-connectivity/openssl/openssl/run-ptest
@@ -9,4 +9,4 @@ export TOP=.
 # OPENSSL_ENGINES is relative from the test binaries
 export OPENSSL_ENGINES=../engines
-perl ./test/run_tests.pl $* | perl -0pe 's#(.*) \.*.ok#PASS: \1#g; s#(.*) \.*.skipped: (.*)#SKIP: \1 (\2)#g; s#(.*) \.*.\nDubious#FAIL: \1#;'
+{ HARNESS_JOBS=4 perl ./test/run_tests.pl $* || echo "FAIL: openssl" ; } | sed -u -r -e '/(.*) \.*.ok/ s/^/PASS: /g' -r -e '/Dubious(.*)/ s/^/FAIL: /g' -e '/(.*) \.*.skipped: (.*)/ s/^/SKIP: /g'
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
deleted file mode 100644
index 815955837b..0000000000
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1g.bb
+++ /dev/null
@@ -1,215 +0,0 @@
-SUMMARY = "Secure Socket Layer"
-DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
-HOMEPAGE = "http://www.openssl.org/"
-BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
-SECTION = "libs/network"
-# "openssl" here actually means both OpenSSL and SSLeay licenses apply
-# (see meta/files/common-licenses/OpenSSL to which "openssl" is SPDXLICENSEMAPped)
-LICENSE = "openssl"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=d343e62fc9c833710bbbed25f27364c8"
-DEPENDS = "hostperl-runtime-native"
-SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
-           file://run-ptest \
-           file://0001-skip-test_symbol_presence.patch \
-           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
-           file://afalg.patch \
-           file://reproducible.patch \
-           "
-SRC_URI_append_class-nativesdk = " \
-           file://environment.d-openssl.sh \
-           "
-SRC_URI[sha256sum] = "ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
-inherit lib_package multilib_header multilib_script ptest
-MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
-PACKAGECONFIG ?= ""
-PACKAGECONFIG_class-native = ""
-PACKAGECONFIG_class-nativesdk = ""
-PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
-B = "${WORKDIR}/build"
-do_configure[cleandirs] = "${B}"
-#| ./libcrypto.so: undefined reference to `getcontext'
-#| ./libcrypto.so: undefined reference to `setcontext'
-#| ./libcrypto.so: undefined reference to `makecontext'
-EXTRA_OECONF_append_libc-musl = " no-async"
-EXTRA_OECONF_append_libc-musl_powerpc64 = " no-asm"
-# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
-# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
-EXTRA_OECONF_class-native = "--with-rand-seed=os,devrandom"
-EXTRA_OECONF_class-nativesdk = "--with-rand-seed=os,devrandom"
-# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
-CFLAGS_append_class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-CFLAGS_append_class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
-do_configure () {
-        os=${HOST_OS}
-        case $os in
-        linux-gnueabi |\
-        linux-gnuspe |\
-        linux-musleabi |\
-        linux-muslspe |\
-        linux-musl )
-                os=linux
-                ;;
-        *)
-                ;;
-        esac
-        target="$os-${HOST_ARCH}"
-        case $target in
-        linux-arm*)
-                target=linux-armv4
-                ;;
-        linux-aarch64*)
-                target=linux-aarch64
-                ;;
-        linux-i?86 | linux-viac3)
-                target=linux-x86
-                ;;
-        linux-gnux32-x86_64 | linux-muslx32-x86_64 )
-                target=linux-x32
-                ;;
-        linux-gnu64-x86_64)
-                target=linux-x86_64
-                ;;
-        linux-mips | linux-mipsel)
-                # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
-                target="linux-mips32 ${TARGET_CC_ARCH}"
-                ;;
-        linux-gnun32-mips*)
-                target=linux-mips64
-                ;;
-        linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
-                target=linux64-mips64
-                ;;
-        linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
-                target=linux-generic32
-                ;;
-        linux-powerpc)
-                target=linux-ppc
-                ;;
-        linux-powerpc64)
-                target=linux-ppc64
-                ;;
-        linux-powerpc64le)
-                target=linux-ppc64le
-                ;;
-        linux-riscv32)
-                target=linux-generic32
-                ;;
-        linux-riscv64)
-                target=linux-generic64
-                ;;
-        linux-sparc | linux-supersparc)
-                target=linux-sparcv9
-                ;;
-        esac
-        useprefix=${prefix}
-        if [ "x$useprefix" = "x" ]; then
-                useprefix=/
-        fi
-        # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
-        # environment variables set by bitbake. Adjust the environment variables instead.
-        HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="${S}/external/perl/Text-Template-1.46/lib/" \
-        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} --prefix=$useprefix --openssldir=${libdir}/ssl-1.1 --libdir=${libdir} $target
-        perl ${B}/configdata.pm --dump
-}
-do_install () {
-        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install
-        oe_multilib_header openssl/opensslconf.h
-        # Create SSL structure for packages such as ca-certificates which
-        # contain hard-coded paths to /etc/ssl. Debian does the same.
-        install -d ${D}${sysconfdir}/ssl
-        mv ${D}${libdir}/ssl-1.1/certs \
-           ${D}${libdir}/ssl-1.1/private \
-           ${D}${libdir}/ssl-1.1/openssl.cnf \
-           ${D}${sysconfdir}/ssl/
-        # Although absolute symlinks would be OK for the target, they become
-        # invalid if native or nativesdk are relocated from sstate.
-        ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-1.1/certs
-        ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-1.1/private
-        ln -sf ${@oe.path.relative('${libdir}/ssl-1.1', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-1.1/openssl.cnf
-}
-do_install_append_class-native () {
-        create_wrapper ${D}${bindir}/openssl \
-            OPENSSL_CONF=${libdir}/ssl-1.1/openssl.cnf \
-            SSL_CERT_DIR=${libdir}/ssl-1.1/certs \
-            SSL_CERT_FILE=${libdir}/ssl-1.1/cert.pem \
-            OPENSSL_ENGINES=${libdir}/engines-1.1
-}
-do_install_append_class-nativesdk () {
-        mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
-        install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
-        sed 's|/usr/lib/ssl/|/usr/lib/ssl-1.1/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
-}
-PTEST_BUILD_HOST_FILES += "configdata.pm"
-PTEST_BUILD_HOST_PATTERN = "perl_version ="
-do_install_ptest () {
-        # Prune the build tree
-        rm -f ${B}/fuzz/*.* ${B}/test/*.*
-        cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
-        cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
-        # For test_shlibload
-        ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
-        ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
-        install -d ${D}${PTEST_PATH}/apps
-        ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
-        install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
-        install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
-        install -d ${D}${PTEST_PATH}/engines
-        install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
-}
-# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
-# package RRECOMMENDS on this package. This will enable the configuration
-# file to be installed for both the openssl-bin package and the libcrypto
-# package since the openssl-bin package depends on the libcrypto package.
-PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc"
-FILES_libcrypto = "${libdir}/libcrypto${SOLIBS}"
-FILES_libssl = "${libdir}/libssl${SOLIBS}"
-FILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
-                      ${libdir}/ssl-1.1/openssl.cnf* \
-                      "
-FILES_${PN}-engines = "${libdir}/engines-1.1"
-FILES_${PN}-misc = "${libdir}/ssl-1.1/misc"
-FILES_${PN} =+ "${libdir}/ssl-1.1/*"
-FILES_${PN}_append_class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
-CONFFILES_openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
-RRECOMMENDS_libcrypto += "openssl-conf"
-RDEPENDS_${PN}-ptest += "openssl-bin perl perl-modules bash"
-RDEPENDS_${PN}-bin += "openssl-conf"
-BBCLASSEXTEND = "native nativesdk"
-CVE_PRODUCT = "openssl:openssl"
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
-# Apache in meta-webserver is already recent enough
-CVE_CHECK_WHITELIST += "CVE-2019-0190"
diff --git a/meta/recipes-connectivity/openssl/openssl_3.3.0.bb b/meta/recipes-connectivity/openssl/openssl_3.3.0.bb
new file mode 100644
index 0000000000..66cb361baa
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl_3.3.0.bb
@@ -0,0 +1,263 @@
+SUMMARY = "Secure Socket Layer"
+DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
+HOMEPAGE = "http://www.openssl.org/"
+BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
+SECTION = "libs/network"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+           file://run-ptest \
+           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
+           file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://0001-Added-handshake-history-reporting-when-test-fails.patch \
+           file://bti.patch \
+           "
+SRC_URI:append:class-nativesdk = " \
+           file://environment.d-openssl.sh \
+           "
+SRC_URI[sha256sum] = "53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02"
+inherit lib_package multilib_header multilib_script ptest perlnative manpages
+MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
+PACKAGECONFIG ?= ""
+PACKAGECONFIG:class-native = ""
+PACKAGECONFIG:class-nativesdk = ""
+PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+PACKAGECONFIG[manpages] = ""
+B = "${WORKDIR}/build"
+do_configure[cleandirs] = "${B}"
+#| ./libcrypto.so: undefined reference to `getcontext'
+#| ./libcrypto.so: undefined reference to `setcontext'
+#| ./libcrypto.so: undefined reference to `makecontext'
+EXTRA_OECONF:append:libc-musl = " no-async"
+EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
+# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
+# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
+EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
+EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
+# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
+CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+# This allows disabling deprecated or undesirable crypto algorithms.
+# The default is to trust upstream choices.
+DEPRECATED_CRYPTO_FLAGS ?= ""
+do_configure () {
+        # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make
+        # the issue really clear that perl isn't functional due to symbol mismatch issues.
+        cat <<- EOF > ${WORKDIR}/perltest
+        #!/usr/bin/env perl
+        use POSIX;
+        EOF
+        chmod a+x ${WORKDIR}/perltest
+        ${WORKDIR}/perltest
+        os=${HOST_OS}
+        case $os in
+        linux-gnueabi |\
+        linux-gnuspe |\
+        linux-musleabi |\
+        linux-muslspe |\
+        linux-musl )
+                os=linux
+                ;;
+        *)
+                ;;
+        esac
+        target="$os-${HOST_ARCH}"
+        case $target in
+        linux-arc | linux-microblaze*)
+                target=linux-latomic
+                ;;
+        linux-arm*)
+                target=linux-armv4
+                ;;
+        linux-aarch64*)
+                target=linux-aarch64
+                ;;
+        linux-i?86 | linux-viac3)
+                target=linux-x86
+                ;;
+        linux-gnux32-x86_64 | linux-muslx32-x86_64 )
+                target=linux-x32
+                ;;
+        linux-gnu64-x86_64)
+                target=linux-x86_64
+                ;;
+        linux-loongarch64)
+                target=linux64-loongarch64
+                ;;
+        linux-mips | linux-mipsel)
+                # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
+                target="linux-mips32 ${TARGET_CC_ARCH}"
+                ;;
+        linux-gnun32-mips*)
+                target=linux-mips64
+                ;;
+        linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
+                target=linux64-mips64
+                ;;
+        linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
+                target=linux-generic32
+                ;;
+        linux-powerpc)
+                target=linux-ppc
+                ;;
+        linux-powerpc64)
+                target=linux-ppc64
+                ;;
+        linux-powerpc64le)
+                target=linux-ppc64le
+                ;;
+        linux-riscv32)
+                target=linux32-riscv32
+                ;;
+        linux-riscv64)
+                target=linux64-riscv64
+                ;;
+        linux-sparc | linux-supersparc)
+                target=linux-sparcv9
+                ;;
+        mingw32-x86_64)
+                target=mingw64
+                ;;
+        esac
+        useprefix=${prefix}
+        if [ "x$useprefix" = "x" ]; then
+                useprefix=/
+        fi
+        # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
+        # environment variables set by bitbake. Adjust the environment variables instead.
+        PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
+        test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
+        HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
+        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
+        perl ${B}/configdata.pm --dump
+}
+do_install () {
+        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
+        oe_multilib_header openssl/opensslconf.h
+        oe_multilib_header openssl/configuration.h
+        # Create SSL structure for packages such as ca-certificates which
+        # contain hard-coded paths to /etc/ssl. Debian does the same.
+        install -d ${D}${sysconfdir}/ssl
+        mv ${D}${libdir}/ssl-3/certs \
+           ${D}${libdir}/ssl-3/private \
+           ${D}${libdir}/ssl-3/openssl.cnf \
+           ${D}${sysconfdir}/ssl/
+        # Although absolute symlinks would be OK for the target, they become
+        # invalid if native or nativesdk are relocated from sstate.
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+}
+do_install:append:class-native () {
+        create_wrapper ${D}${bindir}/openssl \
+            OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
+            SSL_CERT_DIR=${libdir}/ssl-3/certs \
+            SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
+            OPENSSL_ENGINES=${libdir}/engines-3 \
+            OPENSSL_MODULES=${libdir}/ossl-modules
+}
+do_install:append:class-nativesdk () {
+        mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
+        install -m 644 ${UNPACKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+        sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+}
+PTEST_BUILD_HOST_FILES += "configdata.pm"
+PTEST_BUILD_HOST_PATTERN = "perl_version ="
+do_install_ptest () {
+        install -d ${D}${PTEST_PATH}/test
+        install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
+        install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test
+        install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
+        # Prune the build tree
+        rm -f ${B}/fuzz/*.* ${B}/test/*.*
+        cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
+        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm
+        cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
+        # For test_shlibload
+        ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
+        ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
+        install -d ${D}${PTEST_PATH}/apps
+        ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
+        install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
+        install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
+        install -d ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
+        install -d ${D}${PTEST_PATH}/providers
+        install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
+        install -d ${D}${PTEST_PATH}/Configurations
+        cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
+        # seems to be needed with perl 5.32.1
+        install -d ${D}${PTEST_PATH}/util/perl/recipes
+        cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
+        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl
+}
+# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
+# package RRECOMMENDS on this package. This will enable the configuration
+# file to be installed for both the openssl-bin package and the libcrypto
+# package since the openssl-bin package depends on the libcrypto package.
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
+FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES:libssl = "${libdir}/libssl${SOLIBS}"
+FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
+                      ${libdir}/ssl-3/openssl.cnf* \
+                      "
+FILES:${PN}-engines = "${libdir}/engines-3"
+# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
+FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
+FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
+FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
+CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
+RDEPENDS:${PN}-misc = "perl"
+RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed"
+RDEPENDS:${PN}-bin += "openssl-conf"
+BBCLASSEXTEND = "native nativesdk"
+CVE_PRODUCT = "openssl:openssl"
+CVE_VERSION_SUFFIX = "alphabetical"