2 files changed, 71 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
new file mode 100644
index 0000000000..80b62ab18c
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -0,0 +1,70 @@
+From 3e1d00481093e10775eaf69d619c45b32a4aa7dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com>
+Date: Tue, 6 Nov 2018 14:50:47 +0100
+Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler
+ info
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The openssl build system generates buildinf.h containing the full
+compiler command line used to compile objects. This breaks
+reproducibility, as the compile command is baked into libcrypto, where
+it is used when running `openssl version -f`.
+Add stripped build variables for the compiler and cflags lines, and use
+those when generating buildinfo.h.
+This is based on a similar patch for older openssl versions:
+https://patchwork.openembedded.org/patch/147229/
+Upstream-Status: Inappropriate [OE specific]
+Signed-off-by: Martin Hundebøll <martin@geanix.com>
+---
+ Configurations/unix-Makefile.tmpl | 10 +++++++++-
+ crypto/build.info                 |  2 +-
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 16af4d2087..54c162784c 100644
+--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
+@@ -317,13 +317,21 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (),
+                          '$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
+ BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
+ 
+-# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
+# *_Q variables are used for one thing only: to build up buildinf.h
+ CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g;
+               $cppflags2 =~ s|([\\"])|\\$1|g;
+               $lib_cppflags =~ s|([\\"])|\\$1|g;
+               join(' ', $lib_cppflags || (), $cppflags2 || (),
+                         $cppflags1 || ()) -}
+ 
+CFLAGS_Q={- for (@{$config{CFLAGS}}) {
+              s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g;
+            }
+            join(' ', @{$config{CFLAGS}}) -}
+
+CC_Q={- $config{CC} =~ s|--sysroot=[^ ]+|--sysroot=recipe-sysroot|g;
+        join(' ', $config{CC}) -}
+
+ PERLASM_SCHEME= {- $target{perlasm_scheme} -}
+ 
+ # For x86 assembler: Set PROCESSOR to 386 if you want to support
+diff --git a/crypto/build.info b/crypto/build.info
+index b515b7318e..8c9cee2a09 100644
+--- a/crypto/build.info
+++ b/crypto/build.info
+@@ -10,7 +10,7 @@ EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
+         ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
+ 
+ DEPEND[cversion.o]=buildinf.h
+-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)"
+ DEPEND[buildinf.h]=../configdata.pm
+ 
+ GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
+-- 
+2.19.1
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
index b44089e82e..1234b64b86 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://0001-skip-test_symbol_presence.patch \
           file://0002-fix-CVE-2018-0734.patch \
           file://0003-fix-CVE-2018-0735.patch \
+           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
           "
 SRC_URI_append_class-nativesdk = " \

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch new file mode 100644 index 0000000000..80b62ab18c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch
@@ -0,0 +1,70 @@
		1	From 3e1d00481093e10775eaf69d619c45b32a4aa7dc Mon Sep 17 00:00:00 2001
		2	From: =?UTF-8?q?Martin=20Hundeb=C3=B8ll?= <martin@geanix.com>
		3	Date: Tue, 6 Nov 2018 14:50:47 +0100
		4	Subject: [PATCH] buildinfo: strip sysroot and debug-prefix-map from compiler
		5	info
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	The openssl build system generates buildinf.h containing the full
		11	compiler command line used to compile objects. This breaks
		12	reproducibility, as the compile command is baked into libcrypto, where
		13	it is used when running `openssl version -f`.
		14
		15	Add stripped build variables for the compiler and cflags lines, and use
		16	those when generating buildinfo.h.
		17
		18	This is based on a similar patch for older openssl versions:
		19	https://patchwork.openembedded.org/patch/147229/
		20
		21	Upstream-Status: Inappropriate [OE specific]
		22	Signed-off-by: Martin Hundebøll <martin@geanix.com>
		23	---
		24	Configurations/unix-Makefile.tmpl \| 10 +++++++++-
		25	crypto/build.info \| 2 +-
		26	2 files changed, 10 insertions(+), 2 deletions(-)
		27
		28	diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
		29	index 16af4d2087..54c162784c 100644
		30	--- a/Configurations/unix-Makefile.tmpl
		31	+++ b/Configurations/unix-Makefile.tmpl
		32	@@ -317,13 +317,21 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} \|\| (),
		33	'$(CNF_LDFLAGS)', '$(LDFLAGS)') -}
		34	BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS)
		35
		36	-# CPPFLAGS_Q is used for one thing only: to build up buildinf.h
		37	+# *_Q variables are used for one thing only: to build up buildinf.h
		38	CPPFLAGS_Q={- $cppflags1 =~ s\|([\\"])\|\\$1\|g;
		39	$cppflags2 =~ s\|([\\"])\|\\$1\|g;
		40	$lib_cppflags =~ s\|([\\"])\|\\$1\|g;
		41	join(' ', $lib_cppflags \|\| (), $cppflags2 \|\| (),
		42	$cppflags1 \|\| ()) -}
		43
		44	+CFLAGS_Q={- for (@{$config{CFLAGS}}) {
		45	+ s\|-fdebug-prefix-map=[^ ]+\|-fdebug-prefix-map=\|g;
		46	+ }
		47	+ join(' ', @{$config{CFLAGS}}) -}
		48	+
		49	+CC_Q={- $config{CC} =~ s\|--sysroot=[^ ]+\|--sysroot=recipe-sysroot\|g;
		50	+ join(' ', $config{CC}) -}
		51	+
		52	PERLASM_SCHEME= {- $target{perlasm_scheme} -}
		53
		54	# For x86 assembler: Set PROCESSOR to 386 if you want to support
		55	diff --git a/crypto/build.info b/crypto/build.info
		56	index b515b7318e..8c9cee2a09 100644
		57	--- a/crypto/build.info
		58	+++ b/crypto/build.info
		59	@@ -10,7 +10,7 @@ EXTRA= ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
		60	ppccpuid.pl pariscid.pl alphacpuid.pl arm64cpuid.pl armv4cpuid.pl
		61
		62	DEPEND[cversion.o]=buildinf.h
		63	-GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC) $(LIB_CFLAGS) $(CPPFLAGS_Q)" "$(PLATFORM)"
		64	+GENERATE[buildinf.h]=../util/mkbuildinf.pl "$(CC_Q) $(CFLAGS_Q) $(CPPFLAGS_Q)" "$(PLATFORM)"
		65	DEPEND[buildinf.h]=../configdata.pm
		66
		67	GENERATE[uplink-x86.s]=../ms/uplink-x86.pl $(PERLASM_SCHEME)
		68	--
		69	2.19.1
		70


diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1.bb index b44089e82e..1234b64b86 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
17	file://0001-skip-test_symbol_presence.patch \	17	file://0001-skip-test_symbol_presence.patch \
18	file://0002-fix-CVE-2018-0734.patch \	18	file://0002-fix-CVE-2018-0734.patch \
19	file://0003-fix-CVE-2018-0735.patch \	19	file://0003-fix-CVE-2018-0735.patch \
		20	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
20	"	21	"
21		22
22	SRC_URI_append_class-nativesdk = " \	23	SRC_URI_append_class-nativesdk = " \