openssl: upgrade to 3.1.5

Changes between 3.1.4 and 3.1.5 [30 Jan 2024] * A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL did not correctly check for this case. A fix has been applied to prevent a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue prior to this fix. OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. ([CVE-2024-0727]) https://www.openssl.org/news/cl31.txt drop fix_random_labels.patch as fixed in https://github.com/openssl/openssl/commit/99630a1b08fd6464d95052dee4a3500afeb95867 (From OE-Core rev: aeac11fa743567e185179b27b4700bbf8fcf06e1) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2024-03-14 10:26:27 +0800
committer: Steve Sakoman <steve@sakoman.com> 2024-03-20 06:02:50 -1000
commit: 6d2b73edc960222d586029b3099f451cc2d0eb48 (patch)
tree: e5b7677c39f95926942e7f45f3caac17f436095c /meta/recipes-connectivity/openssl/openssl_3.1.5.bb
parent: 521775dcd52bbb2fa29e2fd6e4e18223341e41a5 (diff)
download: poky-6d2b73edc960222d586029b3099f451cc2d0eb48.tar.gz
1 files changed, 261 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.5.bb b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
new file mode 100644
index 0000000000..05bfeac45e
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
@@ -0,0 +1,261 @@
+SUMMARY = "Secure Socket Layer"
+DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
+HOMEPAGE = "http://www.openssl.org/"
+BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
+SECTION = "libs/network"
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
+SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
+           file://run-ptest \
+           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
+           file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://0001-Added-handshake-history-reporting-when-test-fails.patch \
+           "
+SRC_URI:append:class-nativesdk = " \
+           file://environment.d-openssl.sh \
+           "
+SRC_URI[sha256sum] = "6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262"
+inherit lib_package multilib_header multilib_script ptest perlnative manpages
+MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
+PACKAGECONFIG ?= ""
+PACKAGECONFIG:class-native = ""
+PACKAGECONFIG:class-nativesdk = ""
+PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
+PACKAGECONFIG[no-tls1] = "no-tls1"
+PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
+PACKAGECONFIG[manpages] = ""
+B = "${WORKDIR}/build"
+do_configure[cleandirs] = "${B}"
+#| ./libcrypto.so: undefined reference to `getcontext'
+#| ./libcrypto.so: undefined reference to `setcontext'
+#| ./libcrypto.so: undefined reference to `makecontext'
+EXTRA_OECONF:append:libc-musl = " no-async"
+EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
+# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
+# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
+EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
+EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
+# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
+CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
+# This allows disabling deprecated or undesirable crypto algorithms.
+# The default is to trust upstream choices.
+DEPRECATED_CRYPTO_FLAGS ?= ""
+do_configure () {
+        # When we upgrade glibc but not uninative we see obtuse failures in openssl. Make
+        # the issue really clear that perl isn't functional due to symbol mismatch issues.
+        cat <<- EOF > ${WORKDIR}/perltest
+        #!/usr/bin/env perl
+        use POSIX;
+        EOF
+        chmod a+x ${WORKDIR}/perltest
+        ${WORKDIR}/perltest
+        os=${HOST_OS}
+        case $os in
+        linux-gnueabi |\
+        linux-gnuspe |\
+        linux-musleabi |\
+        linux-muslspe |\
+        linux-musl )
+                os=linux
+                ;;
+        *)
+                ;;
+        esac
+        target="$os-${HOST_ARCH}"
+        case $target in
+        linux-arc | linux-microblaze*)
+                target=linux-latomic
+                ;;
+        linux-arm*)
+                target=linux-armv4
+                ;;
+        linux-aarch64*)
+                target=linux-aarch64
+                ;;
+        linux-i?86 | linux-viac3)
+                target=linux-x86
+                ;;
+        linux-gnux32-x86_64 | linux-muslx32-x86_64 )
+                target=linux-x32
+                ;;
+        linux-gnu64-x86_64)
+                target=linux-x86_64
+                ;;
+        linux-mips | linux-mipsel)
+                # specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
+                target="linux-mips32 ${TARGET_CC_ARCH}"
+                ;;
+        linux-gnun32-mips*)
+                target=linux-mips64
+                ;;
+        linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
+                target=linux64-mips64
+                ;;
+        linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
+                target=linux-generic32
+                ;;
+        linux-powerpc)
+                target=linux-ppc
+                ;;
+        linux-powerpc64)
+                target=linux-ppc64
+                ;;
+        linux-powerpc64le)
+                target=linux-ppc64le
+                ;;
+        linux-riscv32)
+                target=linux-latomic
+                ;;
+        linux-riscv64)
+                target=linux-generic64
+                ;;
+        linux-sparc | linux-supersparc)
+                target=linux-sparcv9
+                ;;
+        mingw32-x86_64)
+                target=mingw64
+                ;;
+        esac
+        useprefix=${prefix}
+        if [ "x$useprefix" = "x" ]; then
+                useprefix=/
+        fi
+        # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
+        # environment variables set by bitbake. Adjust the environment variables instead.
+        PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
+        test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
+        HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
+        perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
+        perl ${B}/configdata.pm --dump
+}
+do_install () {
+        oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
+        oe_multilib_header openssl/opensslconf.h
+        oe_multilib_header openssl/configuration.h
+        # Create SSL structure for packages such as ca-certificates which
+        # contain hard-coded paths to /etc/ssl. Debian does the same.
+        install -d ${D}${sysconfdir}/ssl
+        mv ${D}${libdir}/ssl-3/certs \
+           ${D}${libdir}/ssl-3/private \
+           ${D}${libdir}/ssl-3/openssl.cnf \
+           ${D}${sysconfdir}/ssl/
+        # Although absolute symlinks would be OK for the target, they become
+        # invalid if native or nativesdk are relocated from sstate.
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
+        ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
+}
+do_install:append:class-native () {
+        create_wrapper ${D}${bindir}/openssl \
+            OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
+            SSL_CERT_DIR=${libdir}/ssl-3/certs \
+            SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
+            OPENSSL_ENGINES=${libdir}/engines-3 \
+            OPENSSL_MODULES=${libdir}/ossl-modules
+}
+do_install:append:class-nativesdk () {
+        mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
+        install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+        sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
+}
+PTEST_BUILD_HOST_FILES += "configdata.pm"
+PTEST_BUILD_HOST_PATTERN = "perl_version ="
+do_install_ptest () {
+        install -d ${D}${PTEST_PATH}/test
+        install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
+        install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test
+        install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
+        # Prune the build tree
+        rm -f ${B}/fuzz/*.* ${B}/test/*.*
+        cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
+        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/configdata.pm
+        cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
+        # For test_shlibload
+        ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
+        ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
+        install -d ${D}${PTEST_PATH}/apps
+        ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
+        install -m644 ${S}/apps/*.pem ${S}/apps/*.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
+        install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
+        install -d ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
+        install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
+        install -d ${D}${PTEST_PATH}/providers
+        install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
+        install -d ${D}${PTEST_PATH}/Configurations
+        cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
+        # seems to be needed with perl 5.32.1
+        install -d ${D}${PTEST_PATH}/util/perl/recipes
+        cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
+        sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl
+}
+# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
+# package RRECOMMENDS on this package. This will enable the configuration
+# file to be installed for both the openssl-bin package and the libcrypto
+# package since the openssl-bin package depends on the libcrypto package.
+PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
+FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
+FILES:libssl = "${libdir}/libssl${SOLIBS}"
+FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
+                      ${libdir}/ssl-3/openssl.cnf* \
+                      "
+FILES:${PN}-engines = "${libdir}/engines-3"
+# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
+FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
+FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
+FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
+FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
+FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
+CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
+RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
+RDEPENDS:${PN}-misc = "perl"
+RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed"
+RDEPENDS:${PN}-bin += "openssl-conf"
+BBCLASSEXTEND = "native nativesdk"
+CVE_PRODUCT = "openssl:openssl"
+CVE_VERSION_SUFFIX = "alphabetical"
+# Apache in meta-webserver is already recent enough
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
author	Lee Chee Yang <chee.yang.lee@intel.com>	2024-03-14 10:26:27 +0800
committer	Steve Sakoman <steve@sakoman.com>	2024-03-20 06:02:50 -1000
commit	6d2b73edc960222d586029b3099f451cc2d0eb48 (patch)
tree	e5b7677c39f95926942e7f45f3caac17f436095c /meta/recipes-connectivity/openssl/openssl_3.1.5.bb
parent	521775dcd52bbb2fa29e2fd6e4e18223341e41a5 (diff)
download	poky-6d2b73edc960222d586029b3099f451cc2d0eb48.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.5.bb b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb new file mode 100644 index 0000000000..05bfeac45e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl_3.1.5.bb
@@ -0,0 +1,261 @@
	1	SUMMARY = "Secure Socket Layer"
	2	DESCRIPTION = "Secure Socket Layer (SSL) binary and related cryptographic tools."
	3	HOMEPAGE = "http://www.openssl.org/"
	4	BUGTRACKER = "http://www.openssl.org/news/vulnerabilities.html"
	5	SECTION = "libs/network"
	6
	7	LICENSE = "Apache-2.0"
	8	LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04"
	9
	10	SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
	11	file://run-ptest \
	12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
	13	file://0001-Configure-do-not-tweak-mips-cflags.patch \
	14	file://0001-Added-handshake-history-reporting-when-test-fails.patch \
	15	"
	16
	17	SRC_URI:append:class-nativesdk = " \
	18	file://environment.d-openssl.sh \
	19	"
	20
	21	SRC_URI[sha256sum] = "6ae015467dabf0469b139ada93319327be24b98251ffaeceda0221848dc09262"
	22
	23	inherit lib_package multilib_header multilib_script ptest perlnative manpages
	24	MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
	25
	26	PACKAGECONFIG ?= ""
	27	PACKAGECONFIG:class-native = ""
	28	PACKAGECONFIG:class-nativesdk = ""
	29
	30	PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,cryptodev-linux,,cryptodev-module"
	31	PACKAGECONFIG[no-tls1] = "no-tls1"
	32	PACKAGECONFIG[no-tls1_1] = "no-tls1_1"
	33	PACKAGECONFIG[manpages] = ""
	34
	35	B = "${WORKDIR}/build"
	36	do_configure[cleandirs] = "${B}"
	37
	38	#\| ./libcrypto.so: undefined reference to `getcontext'
	39	#\| ./libcrypto.so: undefined reference to `setcontext'
	40	#\| ./libcrypto.so: undefined reference to `makecontext'
	41	EXTRA_OECONF:append:libc-musl = " no-async"
	42	EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm"
	43
	44	# adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions
	45	# (native versions can be built with newer glibc, but then relocated onto a system with older glibc)
	46	EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom"
	47	EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom"
	48
	49	# Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate.
	50	CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
	51	CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin"
	52
	53	# This allows disabling deprecated or undesirable crypto algorithms.
	54	# The default is to trust upstream choices.
	55	DEPRECATED_CRYPTO_FLAGS ?= ""
	56
	57	do_configure () {
	58	# When we upgrade glibc but not uninative we see obtuse failures in openssl. Make
	59	# the issue really clear that perl isn't functional due to symbol mismatch issues.
	60	cat <<- EOF > ${WORKDIR}/perltest
	61	#!/usr/bin/env perl
	62	use POSIX;
	63	EOF
	64	chmod a+x ${WORKDIR}/perltest
	65	${WORKDIR}/perltest
	66
	67	os=${HOST_OS}
	68	case $os in
	69	linux-gnueabi \|\
	70	linux-gnuspe \|\
	71	linux-musleabi \|\
	72	linux-muslspe \|\
	73	linux-musl )
	74	os=linux
	75	;;
	76	*)
	77	;;
	78	esac
	79	target="$os-${HOST_ARCH}"
	80	case $target in
	81	linux-arc \| linux-microblaze*)
	82	target=linux-latomic
	83	;;
	84	linux-arm*)
	85	target=linux-armv4
	86	;;
	87	linux-aarch64*)
	88	target=linux-aarch64
	89	;;
	90	linux-i?86 \| linux-viac3)
	91	target=linux-x86
	92	;;
	93	linux-gnux32-x86_64 \| linux-muslx32-x86_64 )
	94	target=linux-x32
	95	;;
	96	linux-gnu64-x86_64)
	97	target=linux-x86_64
	98	;;
	99	linux-mips \| linux-mipsel)
	100	# specifying TARGET_CC_ARCH prevents openssl from (incorrectly) adding target architecture flags
	101	target="linux-mips32 ${TARGET_CC_ARCH}"
	102	;;
	103	linux-gnun32-mips*)
	104	target=linux-mips64
	105	;;
	106	linux--mips64 \| linux-mips64 \| linux--mips64el \| linux-mips64el)
	107	target=linux64-mips64
	108	;;
	109	linux-nios2* \| linux-sh3 \| linux-sh4 \| linux-arc*)
	110	target=linux-generic32
	111	;;
	112	linux-powerpc)
	113	target=linux-ppc
	114	;;
	115	linux-powerpc64)
	116	target=linux-ppc64
	117	;;
	118	linux-powerpc64le)
	119	target=linux-ppc64le
	120	;;
	121	linux-riscv32)
	122	target=linux-latomic
	123	;;
	124	linux-riscv64)
	125	target=linux-generic64
	126	;;
	127	linux-sparc \| linux-supersparc)
	128	target=linux-sparcv9
	129	;;
	130	mingw32-x86_64)
	131	target=mingw64
	132	;;
	133	esac
	134
	135	useprefix=${prefix}
	136	if [ "x$useprefix" = "x" ]; then
	137	useprefix=/
	138	fi
	139	# WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the
	140	# environment variables set by bitbake. Adjust the environment variables instead.
	141	PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)"
	142	test -d "$PERLEXTERNAL" \|\| bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!"
	143	HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \
	144	perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target
	145	perl ${B}/configdata.pm --dump
	146	}
	147
	148	do_install () {
	149	oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)}
	150
	151	oe_multilib_header openssl/opensslconf.h
	152	oe_multilib_header openssl/configuration.h
	153
	154	# Create SSL structure for packages such as ca-certificates which
	155	# contain hard-coded paths to /etc/ssl. Debian does the same.
	156	install -d ${D}${sysconfdir}/ssl
	157	mv ${D}${libdir}/ssl-3/certs \
	158	${D}${libdir}/ssl-3/private \
	159	${D}${libdir}/ssl-3/openssl.cnf \
	160	${D}${sysconfdir}/ssl/
	161
	162	# Although absolute symlinks would be OK for the target, they become
	163	# invalid if native or nativesdk are relocated from sstate.
	164	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs
	165	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private
	166	ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf
	167	}
	168
	169	do_install:append:class-native () {
	170	create_wrapper ${D}${bindir}/openssl \
	171	OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \
	172	SSL_CERT_DIR=${libdir}/ssl-3/certs \
	173	SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \
	174	OPENSSL_ENGINES=${libdir}/engines-3 \
	175	OPENSSL_MODULES=${libdir}/ossl-modules
	176	}
	177
	178	do_install:append:class-nativesdk () {
	179	mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d
	180	install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
	181	sed 's\|/usr/lib/ssl/\|/usr/lib/ssl-3/\|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh
	182	}
	183
	184	PTEST_BUILD_HOST_FILES += "configdata.pm"
	185	PTEST_BUILD_HOST_PATTERN = "perl_version ="
	186	do_install_ptest () {
	187	install -d ${D}${PTEST_PATH}/test
	188	install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
	189	install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test
	190	install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
	191
	192	# Prune the build tree
	193	rm -f ${B}/fuzz/. ${B}/test/.
	194
	195	cp ${S}/Configure ${B}/configdata.pm ${D}${PTEST_PATH}
	196	sed 's\|${S}\|${PTEST_PATH}\|g' -i ${D}${PTEST_PATH}/configdata.pm
	197	cp -r ${S}/external ${B}/test ${S}/test ${B}/fuzz ${S}/util ${B}/util ${D}${PTEST_PATH}
	198
	199	# For test_shlibload
	200	ln -s ${libdir}/libcrypto.so.1.1 ${D}${PTEST_PATH}/
	201	ln -s ${libdir}/libssl.so.1.1 ${D}${PTEST_PATH}/
	202
	203	install -d ${D}${PTEST_PATH}/apps
	204	ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
	205	install -m644 ${S}/apps/.pem ${S}/apps/.srl ${S}/apps/openssl.cnf ${D}${PTEST_PATH}/apps
	206	install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
	207
	208	install -d ${D}${PTEST_PATH}/engines
	209	install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
	210	install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
	211	install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
	212
	213	install -d ${D}${PTEST_PATH}/providers
	214	install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
	215
	216	install -d ${D}${PTEST_PATH}/Configurations
	217	cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
	218
	219	# seems to be needed with perl 5.32.1
	220	install -d ${D}${PTEST_PATH}/util/perl/recipes
	221	cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
	222
	223	sed 's\|${S}\|${PTEST_PATH}\|g' -i ${D}${PTEST_PATH}/util/wrap.pl
	224	}
	225
	226	# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
	227	# package RRECOMMENDS on this package. This will enable the configuration
	228	# file to be installed for both the openssl-bin package and the libcrypto
	229	# package since the openssl-bin package depends on the libcrypto package.
	230
	231	PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy"
	232
	233	FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}"
	234	FILES:libssl = "${libdir}/libssl${SOLIBS}"
	235	FILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf \
	236	${libdir}/ssl-3/openssl.cnf* \
	237	"
	238	FILES:${PN}-engines = "${libdir}/engines-3"
	239	# ${prefix} comes from what we pass into --prefix at configure time (which is used for INSTALLTOP)
	240	FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3"
	241	FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash"
	242	FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so"
	243	FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/"
	244	FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh"
	245
	246	CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
	247
	248	RRECOMMENDS:libcrypto += "openssl-conf ${PN}-ossl-module-legacy"
	249	RDEPENDS:${PN}-misc = "perl"
	250	RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed"
	251
	252	RDEPENDS:${PN}-bin += "openssl-conf"
	253
	254	BBCLASSEXTEND = "native nativesdk"
	255
	256	CVE_PRODUCT = "openssl:openssl"
	257
	258	CVE_VERSION_SUFFIX = "alphabetical"
	259
	260	# Apache in meta-webserver is already recent enough
	261	CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"