linux/poky.git/meta/recipes-connectivity/openssl, branch kirkstone-next

openssl: upgrade to 3.0.2

2022-03-16T10:31:41+00:00

* Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli ([CVE-2022-0778]) (From OE-Core rev: 30f054a1e0afaa26d16a411df2a6310104342e63) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

meta/scripts: Automated conversion of OE renamed variables

2022-02-21T23:37:27+00:00

(From OE-Core rev: aa52af4518604b5bf13f3c5e885113bf868d6c81) Signed-off-by: Richard Purdie

openssl: Add perl functionality test to do_configure

2022-02-16T09:46:28+00:00

Loading the POSIX module after loading others in perl causes errors to get hidden. The resulting build failures are obtuse and hard to debug. We see this quite often when we upgrade glibc but not uninative and there are symbol mismatches. Add a quick test to the start of configure which tests perl operates correct and shows a much more obvious error if it isn't since the POSIX module doesn't have to reload. An example of the new error is: | Can't load 'XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/x86_64-linux/auto/POSIX/POSIX.so' for module POSIX: | XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/sysroots-uninative/x86_64-linux/lib/libm.so.6: version `GLIBC_2.35' not found | (required by XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/x86_64-linux/auto/POSIX/POSIX.so) at | XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/XSLoader.pm line 111. | at XXX/buildtools-extended-tarball/1.0-r0/testimage-sdk/XXX/openssl-native/3.0.1-r0/recipe-sysroot-native/usr/lib/perl5/5.34.0/x86_64-linux/POSIX.pm line 24. which clearly shows the glibc symbol issue. (From OE-Core rev: 684b656c5e6bf8cb10467c8d0fff1a9eeaf4256f) Signed-off-by: Richard Purdie

openssl: export OPENSSL_MODULES in the wrapper

2022-02-01T07:31:18+00:00

OpenSSL 3 added the concept of provider modules which are loaded from disk. The load path is hard-coded into the library and needs to be relocated when running natively, so add OPENSSL_MODULES to the wrapper. (From OE-Core rev: 160ac2f136cb8df829c803848c7c47d707a908ff) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

openssl: Add reproducibility fix

2022-01-04T23:14:05+00:00

When the date rolled from one year to another, it highlighted a reproducibility issue in openssl. Patch a workaround for this to avoid autobuilder failures. Help submitting upstream welcome. (From OE-Core rev: f8281e290737dba16a46d7ae937c66b3266e0fe8) Signed-off-by: Richard Purdie

openssl: upgrade to 3.0.1

2021-12-21T12:01:41+00:00

Major changes in 3.0.1: * Fixed invalid handling of X509_verify_cert() internal errors in libssl ([CVE-2021-4044]) * Allow fetching an operation from the provider that owns an unexportable key as a fallback if that is still allowed by the property query. Drop patches which were backported. Add sed to openssl-ptest as the tests use 'sed -u', which isn't supported by busybox. Ensure that we package the dummy async engine, needed by the test suite. (From OE-Core rev: 5cd40648b0ba88cd9905800e748ae98f08c10ac7) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

openssl: Use linux-latomic target for ARC

2021-12-08T20:22:11+00:00

Some atomic ops for 32-bit ARC processors are implemented in GCC's libatomic. For example those dealing with 64-bit data (e.g. __atomic_load_8()) as well as some others. That said it's required to add "-latomic" for successful linkage. Otherwise error messages like this happen on OpenSSL building for ARC: ------------------------------->8------------------------------ | ...ld: libcrypto.a(libcrypto-lib-threads_pthread.o): in function `CRYPTO_atomic_or': | .../openssl-3.0.0/crypto/threads_pthread.c:219: undefined reference to `__atomic_is_lock_free' | ...ld: .../openssl-3.0.0/crypto/threads_pthread.c:219: undefined reference to `__atomic_is_lock_free' | ...ld: .../openssl-3.0.0/crypto/threads_pthread.c:220: undefined reference to `__atomic_fetch_or_8' ------------------------------->8------------------------------ Fix that by using a special target, which does exactly what's needed. See [1] and [2] for more details on the matter. [1] https://github.com/openssl/openssl/commit/cdf2986a70d92668d882eb29737225f1aaafd0f1 [2] https://github.com/openssl/openssl/pull/15640 (From OE-Core rev: f48227a192022c604f8c2ea4fe973c6664861101) Signed-off-by: Alexey Brodkin Signed-off-by: Richard Purdie

openssl: fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value

2021-12-03T23:37:16+00:00

Backport a patch from upstream. Specifically, this fixes signature validation in trusted-firmware-a with OpenSSL 3. (From OE-Core rev: ac670fd4f543f439efdea26e813a4b5121161289) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

openssl: fix builds on ARMv8 targets without Aarch64

2021-11-03T10:12:42+00:00

ARMv8 doesn't imply Aarch64, so correct a check that was making that assumption. This fixes the build on 32-bit ARMv8 targets such as Cortex-A32. (From OE-Core rev: 78ae8b02bfbf0d98ae481682179439845d30c797) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

openssl: Drop riscv32 upstreamed patches

2021-10-15T16:55:09+00:00

These patches are already available in 3.0 (From OE-Core rev: 063d085534b7b3659c5721228bb58f4e8115b5ee) Signed-off-by: Khem Raj Signed-off-by: Richard Purdie