summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/openssl
Commit message (Collapse)AuthorAgeFilesLines
* openssl: openssl: patch CVE-2024-2511Peter Marko9 days2-0/+121
| | | | | | | | | | Patch: https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 News: https://github.com/openssl/openssl/commit/b7acb6731a96b073d6150465bd090e2052a595c2 (From OE-Core rev: b439d1c9e5a115bbb5193a2df25e84291cc07bec) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: fix crash on aarch64 if BTI is enabled but no Crypto instructionsRoss Burton2024-03-302-0/+59
| | | | | | | | | | | | | | | | On aarch64, if the processor doesn't have the Crypto instructions then OpenSSL will fall back onto the "bit-sliced" assembler routines. When branch protection (BTI) was enabled in OpenSSL these routines were missed, so if BTI is available libssl will immediately abort when it enters this assembler. Backport a patch submitted upstream to add the required call target annotations so that BTI doesn't believe the code is being exploited. (From OE-Core rev: 438a390e8e1811bc2d3820c1cd2b8e099e70064a) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Match target name for loongarch64Xiaotian Wu2024-02-271-0/+3
| | | | | | | | | | | This is updated in openssl [1] since opensssl 3.2.0-alpha1 onwards [1] https://github.com/openssl/openssl/commit/b625e21e67666213ffd3ba6b1f2cd8a847ba6b66 (From OE-Core rev: 1e5b30d92da2e51e6a4ba75e2cc1e9ccebc8efe7) Signed-off-by: Xiaotian Wu <wuxiaotian@loongson.cn> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: Remove some not needed CVE_STATUSSimone Weiß2024-02-241-2/+0
| | | | | | | | | | CVE_STATUS was set for those components, but meanwhile databases are updated with corrected information, so setting the CVE_STATUS is not needed anymore. (From OE-Core rev: 5ec6057cfa66ceeb33bec013e320f8e3fa7d7ecf) Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Upgrade 3.2.0 -> 3.2.1Peter Marko2024-02-054-183/+2
| | | | | | | | | | | | | | | | | Fixes CVE-2024-0727 and CVE-2023-6237 Removed included patch backports. New module was implemented in tests and needs to be installed to successfully pass 04-test_provider.t test. Release information: https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md#major-changes-between-openssl-320-and-openssl-321-30-jan-2024 (From OE-Core rev: b50f1c4ccac12e9dbdeb5a6fec0413c9cd901d88) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: backport fix for CVE-2023-6129Ross Burton2024-02-022-0/+114
| | | | | | | | (From OE-Core rev: 7fa10f29b31f8aae572026a00a6354aec539d044) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Fix build on riscvKhem Raj2024-01-192-0/+32
| | | | | | | | | Backport a typo fix RISCV_HAS_ZKND_ZKNE -> RISCV_HAS_ZKND_AND_ZKNE (From OE-Core rev: 2b2bf78c7250a23a476f168d3f1789496c1c27e9) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: mark assembler sections as call targets for PAC/BTI support on aarch64Ross Burton2023-12-212-0/+36
| | | | | | | | | | | The assembler sections in OpenSSL were not marked as valid call targets, so branch protection could not be enabled for libcrypto.so. (From OE-Core rev: 4bf06bc5487da05e6b4a4895e5ca2da65cdc25d8) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: upgrade to 3.2.0Lee Chee Yang2023-12-043-60/+1
| | | | | | | | | | | | | | | | | upgrade include fix for CVE-2023-5678. Changes in 3.2.0 https://www.openssl.org/news/cl32.txt drop upstreamed 0001-Link-libatomic-on-riscv32.patch. drop fix_random_labels.patch as fixed by https://github.com/openssl/openssl/commit/0fbc50ef0cb8894973d4739af62e95be825b7ccf (From OE-Core rev: 5a40f27051a1d40af41e7260b9f693a3c27c321f) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: improve handshake test error reportingWilliam Lyu2023-11-052-0/+375
| | | | | | | | | | | | | | Fixes [YOCTO #15225] Yocto Bug #15255 is not reproducible. To obtain more useful information for debugging, the OpenSSL test code is improved so that more detailed state information in the handshake loop is printed when an error occurs. (From OE-Core rev: 5bf9a70f580357badd01f39822998985654b0bfc) Signed-off-by: William Lyu <William.Lyu@windriver.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Upgrade 3.1.3 -> 3.1.4Peter Marko2023-10-261-1/+1
| | | | | | | | | | | | https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-313-and-openssl-314-24-oct-2023 Major changes between OpenSSL 3.1.3 and OpenSSL 3.1.4 [24 Oct 2023] * Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363) (From OE-Core rev: 104ba16de434a08b0c8ba4208be187f0ad1a2cf8) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Inherit riscv32 config from latomic config on linuxKhem Raj2023-10-252-0/+36
| | | | | | | | | | | We still need this option for riscv32, the patch is also submitted upstream (From OE-Core rev: 2e923a5a67e51463dcf938079c4a199873ccba85) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Match target name for riscv64/riscv32Khem Raj2023-10-231-2/+2
| | | | | | | | | | | | | This is updated in openssl [1] [2] since opensssl 3.2 onwards [1] https://github.com/openssl/openssl/commit/42ee6e7be43c57136d71e5612fed22a06f7f5d0e [2] https://github.com/openssl/openssl/commit/c29554245ae107c87d71c8463eef0134391da318 (From OE-Core rev: ed280618b40e5c67d475f74569183a11619b52c2) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Upgrade 3.1.2 -> 3.1.3Peter Marko2023-09-221-1/+1
| | | | | | | | | | | https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-312-and-openssl-313-19-sep-2023 Major changes between OpenSSL 3.1.2 and OpenSSL 3.1.3 [19 Sep 2023] * Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807) (From OE-Core rev: eb65fdd971aa30d3fd09a8bc1b33ad2a1197f364) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: ensure all ptest fails are caughtAlexander Kanavin2023-09-181-1/+1
| | | | | | | | | Piping results through sed may mask failures that sed isn't catching. (From OE-Core rev: 2b1b0e9e4d5011e7c2fd1b59fc277a7cfdc41194) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: parallelize testsAlexander Kanavin2023-09-181-1/+1
| | | | | | | | | This brings them from 15 minutes to just over 4. (From OE-Core rev: 9eeee78aa94aaa441da012aeb904a0f1cbcd4d91) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: build and install manpages only if they are enabledAlexander Kanavin2023-09-071-2/+3
| | | | | | | | | This significantly speeds up the build by default. (From OE-Core rev: 2b5ee583c62dbe381cd429da14ecbba5ea32d506) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Upgrade 3.1.1 -> 3.1.2Peter Marko2023-08-161-1/+1
| | | | | | | | | | | | | | https://github.com/openssl/openssl/blob/openssl-3.1/NEWS.md#major-changes-between-openssl-311-and-openssl-312-1-aug-2023 Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] * Fix excessive time spent checking DH q parameter value (CVE-2023-3817) * Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) * Do not ignore empty associated data entries with AES-SIV (CVE-2023-2975) * When building with the enable-fips option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret and the Hash and HMAC DRBGs will not operate with truncated digests. (From OE-Core rev: e65802383b02df6f502af859a927309d881bbb27) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve_check: convert CVE_CHECK_IGNORE to CVE_STATUSAndrej Valek2023-07-211-2/+1
| | | | | | | | | | | | | - Try to add convert and apply statuses for old CVEs - Drop some obsolete ignores, while they are not relevant for current version (From OE-Core rev: 1634ed4048cf56788cd5c2c1bdc979b70afcdcd7) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Reviewed-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: use a glob on the PERLEXTERNAL to track updates on the pathJose Quaresma2023-07-141-1/+1
| | | | | | | | | | | | The Text-Template was updated from 1.46 to 1.56 | ERROR: openssl-native-3.1.1-r0 do_configure: PERLEXTERNAL '/build/tmp/work/x86_64-linux/openssl-native/3.1.1-r0/openssl-3.1.1/external/perl/Text-Template-1.46/lib' not found! (From OE-Core rev: b9a7739b01e31d0cc8358d99255e3e1b02a0a1a8) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: add PERLEXTERNAL path to test its existenceJose Quaresma2023-07-141-1/+3
| | | | | | | | | | | When upstream change is better to fail or removing the PERL5LIB if they are not need anymore. (From OE-Core rev: 337ac1159644678508990927923ef8af30f34cd7) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: fix building on riscv32Dmitry Baryshkov2023-06-061-1/+1
| | | | | | | | | | | On riscv32 configurations OpenSSL fails to build with "undefined reference to `__atomic_foo'" kind of errors. Change OpenSSL recipe to use linux-latomic configuration instead of linux-generic32. (From OE-Core rev: e8ce80fc6d6579554bca2eba057e65d4b12c0793) Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: upgrade 3.1.0 -> 3.1.1Tim Orling2023-06-013-236/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Drop CVE-2023-0464.patch (merged upstream). * Refresh 0001-Configure-do-not-tweak-mips-cflags.patch https://github.com/openssl/openssl/blob/openssl-3.1.1/NEWS.md Major changes between OpenSSL 3.1.0 and OpenSSL 3.1.1 [30 May 2023] * Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms (CVE-2023-1255) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465) * Limited the number of nodes created in a policy tree (CVE-2023-0464) Security Advisory: https://www.openssl.org/news/secadv/20230530.txt CVE: CVE-2023-2650 CVE: CVE-2023-1255 CVE: CVE-2023-0466 CVE: CVE-2023-0465 CVE: CVE-2023-0464 (From OE-Core rev: 26ce9a5fd31c27812ce8784a398b600cc0e9aa80) Signed-off-by: Tim Orling <tim.orling@konsulko.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* OpenSSL: Security fix for CVE-2023-0464Siddharth Doshi2023-03-262-0/+227
| | | | | | | | | Upstream-Status: Backport from [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2017771e2db3e2b96f89bbe8766c3209f6a99545] (From OE-Core rev: 20ae485ef65bef2ddbffe05fd29cc7d411c38448) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Fix reproducibility issueRichard Purdie2023-03-162-0/+23
| | | | | | | | | | | Fix an issue introduced in the new openssl version where an assembler file isn't generated in a reproducible way by seeding the perl random number generator consistently. It has no crypto impact, it is just used to avoid function name clashes. (From OE-Core rev: 448df3e1c02fe224d62f59a236fdcd47ea7e695f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: update from 3.0.8 to 3.1.0Randy MacLeod2023-03-162-33/+1
| | | | | | | | | | | | | | | | | | | | >From the NEWS.md file: ### Major changes between OpenSSL 3.0 and OpenSSL 3.1.0 [14 Mar 2023] * SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0. * Performance enhancements and new platform support including new assembler code algorithm implementations. * Deprecated LHASH statistics functions. * FIPS 140-3 compliance changes. Drop the upstreamed afalg.patch: c425e365f4 Configure: don't try to be clever when configuring afalgeng (From OE-Core rev: 71c763ed4fbbea22a6a0b145e4e29436c7e59625) Signed-off-by: Randy MacLeod <randy.macleod@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Upgrade 3.0.7 -> 3.0.8Siddharth Doshi2023-02-202-45/+1
| | | | | | | | | | | | | | | | | | | | OpenSSL 3.0.8 fixes 1 HIGH level security vulnerability and 7 MODERATE level security vulnerability [1]. Upgrade the recipe to point to 3.0.8. CVE-2022-3996 is reported fixed in 3.0.8, so drop the patch for that as well. [1] https://www.openssl.org/news/vulnerabilities.html CVEs Fixed: https://www.openssl.org/news/secadv/20230207.txt (From OE-Core rev: 8461466f63200a0b1c9c247b70fdf5819651544c) Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: fix CVE-2022-3996 double locking leads to denial of serviceVivek Kumbhar2023-02-012-0/+44
| | | | | | | (From OE-Core rev: c20b7b864dc6726a2ed4a40cf5a30661ad28c6e0) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Upgrade 3.0.5 -> 3.0.7Ed Tanous2022-11-022-57/+1
| | | | | | | | | | | | | | | | | | | OpenSSL 3.0.5 includes a HIGH level security vulnerability [1]. Upgrade the recipe to point to 3.0.7. CVE-2022-3358 is reported fixed in 3.0.6, so drop the patch for that as well. [1] https://www.openssl.org/news/vulnerabilities.html Fixes CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ (From OE-Core rev: a69ea1f7db96ec8b853573bd581438edd42ad6e0) Signed-off-by: Ed Tanous <edtanous@google.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Fix SSL_CERT_FILE to match ca-certs locationRichard Purdie2022-10-261-1/+1
| | | | | | | | | | | | In OE-Core d6b15d1e70b99185cf245d829ada5b6fb99ec1af, "openssl: export necessary env vars in SDK", the value added for SSL_CERT_FILE was in conflict with the value used elsewhere, such as in buildtools. This makes them match and fixes buildtools testsdk failures. (From OE-Core rev: 7d383a7fc6da666c80f2fc037af5f49a3388eb2b) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: CVE-2022-3358 Using a Custom Cipher with NID_undef may lead to NULL ↵Hitendra Prajapati2022-10-262-0/+56
| | | | | | | | | | | | | | | encryption Upstream-Status: Backport from https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5485c56679d7c49b96e8fc8ca708b0b7e7c03c4b] Description: CVE-2022-3358 openssl: Using a Custom Cipher with NID_undef may lead to NULL encryption. Affects "openssl < 3.0.6" (From OE-Core rev: f98b2273c6f03f8f6029a7a409600ce290817e27) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: export necessary env vars in SDKChen Qi2022-10-251-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | In current SDK, when running the following command in python shell, we get an error. $ python3 >>> from cryptography.hazmat.backends import openssl The error message is as below: cryptography.exceptions.InternalError: Unknown OpenSSL error. We could set OPENSSL_MODULES explicitly in nativesdk-openssl package so that when SDK is set up, it's in environment and we can get rid of the above error. Also, there are other env vars that need to be exported. And we export all of them to keep sync with openssl-native.bbclass. (From OE-Core rev: d6b15d1e70b99185cf245d829ada5b6fb99ec1af) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Move microblaze to linux-latomic configMark Hatle2022-07-281-2/+2
| | | | | | | | | | | | When building with the previous a number of atomic functions come back as undefined. Switching to linux-latomic fixes this. (From OE-Core rev: 88d5bf78ffb1d120df48139b1ed3c2e3fa8310d0) Signed-off-by: Mark Hatle <mark.hatle@kernel.crashing.org> Signed-off-by: Mark Hatle <mark.hatle@amd.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: update 3.0.4 -> 3.0.5Alexander Kanavin2022-07-081-1/+1
| | | | | | | | | | | CVEs fixed: https://www.openssl.org/news/secadv/20220705.txt (From OE-Core rev: 84204dea7dec05e053cce5be0071cd9c1fb4ff6f) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Upgrade 3.0.3 -> 3.0.4Richard Purdie2022-07-015-77/+21
| | | | | | | | Includes a fix for CVE-2022-2068. (From OE-Core rev: f034faebd45e63385849078e6ee4b51257763e99) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Backport fix for ptest cert expiryRichard Purdie2022-06-022-0/+56
| | | | | | | | | | ptests in in openssl have started failing as one of the test certificates has expired. Backport a fix for this from upstream, replacing the test certificate to allow the ptests to pass again. (From OE-Core rev: f26f0b34f12bbca2beed153da402a3594d127374) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: minor security upgrade 3.0.2 -> 3.0.3Davide Gardenal2022-05-151-1/+1
| | | | | | | | | | | | | | This minor version include fixes for several CVEs CVE: CVE-2022-1292 CVE: CVE-2022-1343 CVE: CVE-2022-1434 CVE: CVE-2022-1473 (From OE-Core rev: d63ddc0874da32940be2b802ab31f49286e49f63) Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: extract legacy provider module to a separate packagePeter Marko2022-04-201-2/+3
| | | | | | | | | | | | This module contains legacy cipher suites from libcrypto. We should not need to include base package because we want to use this part of libcrypto. (From OE-Core rev: 1537ebc3f6ae2aec9a3864b03704ab4dbc0e971b) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: upgrade to 3.0.2Ross Burton2022-03-162-24/+1
| | | | | | | | | | * Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli ([CVE-2022-0778]) (From OE-Core rev: 30f054a1e0afaa26d16a411df2a6310104342e63) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta/scripts: Automated conversion of OE renamed variablesRichard Purdie2022-02-211-1/+1
| | | | | | (From OE-Core rev: aa52af4518604b5bf13f3c5e885113bf868d6c81) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Add perl functionality test to do_configureRichard Purdie2022-02-161-0/+9
| | | | | | | | | | | | | | | | | | | | | | | Loading the POSIX module after loading others in perl causes errors to get hidden. The resulting build failures are obtuse and hard to debug. We see this quite often when we upgrade glibc but not uninative and there are symbol mismatches. Add a quick test to the start of configure which tests perl operates correct and shows a much more obvious error if it isn't since the POSIX module doesn't have to reload. An example of the new error is: | Can't load 'XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/x86_64-linux/auto/POSIX/POSIX.so' for module POSIX: | XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/sysroots-uninative/x86_64-linux/lib/libm.so.6: version `GLIBC_2.35' not found | (required by XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/x86_64-linux/auto/POSIX/POSIX.so) at | XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/XSLoader.pm line 111. | at XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/x86_64-linux/POSIX.pm line 24. which clearly shows the glibc symbol issue. (From OE-Core rev: 684b656c5e6bf8cb10467c8d0fff1a9eeaf4256f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: export OPENSSL_MODULES in the wrapperRoss Burton2022-02-011-1/+2
| | | | | | | | | | | OpenSSL 3 added the concept of provider modules which are loaded from disk. The load path is hard-coded into the library and needs to be relocated when running natively, so add OPENSSL_MODULES to the wrapper. (From OE-Core rev: 160ac2f136cb8df829c803848c7c47d707a908ff) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Add reproducibility fixRichard Purdie2022-01-042-0/+23
| | | | | | | | | | When the date rolled from one year to another, it highlighted a reproducibility issue in openssl. Patch a workaround for this to avoid autobuilder failures. Help submitting upstream welcome. (From OE-Core rev: f8281e290737dba16a46d7ae937c66b3266e0fe8) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: upgrade to 3.0.1Ross Burton2021-12-213-148/+9
| | | | | | | | | | | | | | | | | | | | | Major changes in 3.0.1: * Fixed invalid handling of X509_verify_cert() internal errors in libssl ([CVE-2021-4044]) * Allow fetching an operation from the provider that owns an unexportable key as a fallback if that is still allowed by the property query. Drop patches which were backported. Add sed to openssl-ptest as the tests use 'sed -u', which isn't supported by busybox. Ensure that we package the dummy async engine, needed by the test suite. (From OE-Core rev: 5cd40648b0ba88cd9905800e748ae98f08c10ac7) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Use linux-latomic target for ARCAlexey Brodkin2021-12-081-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Some atomic ops for 32-bit ARC processors are implemented in GCC's libatomic. For example those dealing with 64-bit data (e.g. __atomic_load_8()) as well as some others. That said it's required to add "-latomic" for successful linkage. Otherwise error messages like this happen on OpenSSL building for ARC: ------------------------------->8------------------------------ | ...ld: libcrypto.a(libcrypto-lib-threads_pthread.o): in function `CRYPTO_atomic_or': | .../openssl-3.0.0/crypto/threads_pthread.c:219: undefined reference to `__atomic_is_lock_free' | ...ld: .../openssl-3.0.0/crypto/threads_pthread.c:219: undefined reference to `__atomic_is_lock_free' | ...ld: .../openssl-3.0.0/crypto/threads_pthread.c:220: undefined reference to `__atomic_fetch_or_8' ------------------------------->8------------------------------ Fix that by using a special target, which does exactly what's needed. See [1] and [2] for more details on the matter. [1] https://github.com/openssl/openssl/commit/cdf2986a70d92668d882eb29737225f1aaafd0f1 [2] https://github.com/openssl/openssl/pull/15640 (From OE-Core rev: f48227a192022c604f8c2ea4fe973c6664861101) Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a valueRoss Burton2021-12-032-0/+109
| | | | | | | | | | Backport a patch from upstream. Specifically, this fixes signature validation in trusted-firmware-a with OpenSSL 3. (From OE-Core rev: ac670fd4f543f439efdea26e813a4b5121161289) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: fix builds on ARMv8 targets without Aarch64Ross Burton2021-11-032-0/+30
| | | | | | | | | | | ARMv8 doesn't imply Aarch64, so correct a check that was making that assumption. This fixes the build on 32-bit ARMv8 targets such as Cortex-A32. (From OE-Core rev: 78ae8b02bfbf0d98ae481682179439845d30c797) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: Drop riscv32 upstreamed patchesKhem Raj2021-10-153-166/+0
| | | | | | | | | These patches are already available in 3.0 (From OE-Core rev: 063d085534b7b3659c5721228bb58f4e8115b5ee) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: update 1.1.1l -> 3.0.0Alexander Kanavin2021-10-146-128/+90
| | | | | | | | | | | | | | | | | | | | | | | | Drop 0001-skip-test_symbol_presence.patch - testing revealed no need for it, and I couldn't quite understand what it does. Drop reproducible.patch - upstream has removed the non-reproducible bit. Process lines in run-ptest with sed one by one rather than with perl after the test completes, avoiding ptest-runner timeout errors. License-Update: openssl relicense to apache 2.0. Goodbye awkward gpl exceptions in consumers. DEPRECATED_CRYPTO_FLAGS is now empty by default but available by anyone who wants to set it. Trying to come up with a working set was not a good idea as shown in the deleted comment. (From OE-Core rev: f028a55383588d68c052f19f16d0f3f4d0560c57) Signed-off-by: Alexander Kanavin <alex@linutronix.de> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* openssl: upgrade from 1.1.1k to 1.1.1lRandy MacLeod2021-08-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | Includes fixes for: CVE: CVE-2021-3711 CVE: CVE-2021-3712 as described by: https://www.openssl.org/news/secadv/20210824.txt Ptest results on qemux86-64 with kvm: All tests successful. Files=158, Tests=2532, 137 wallclock secs \ ( 2.59 usr 0.33 sys + 104.71 cusr 44.19 csys = 151.82 CPU) Result: PASS DURATION: 137 (From OE-Core rev: fdb6d8c0604e7170ad0c361d54ce9a19253afe36) Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-25 01:42:18 +0000